b'                                     Executive Summary\n                                     The FDIC\xe2\x80\x99s Controls for Safeguarding Sensitive\n                                     Information in Resolution Plans Submitted\n                                     Under the Dodd-Frank Act\n                                                                                    Report No. AUD-14-008\n                                                                                                 July 2014\n\nWhy We Did The Audit\nSection 165(d) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank\nAct) and the FDIC and Board of Governors of the Federal Reserve System\xe2\x80\x99s (FRB) Final Rule, entitled\nResolution Plans Required, dated November 1, 2011, require large, systemically important financial\ncompanies to submit resolution plans, sometimes referred to as \xe2\x80\x9cliving wills,\xe2\x80\x9d to the FDIC and to the\nFRB. The intent of this requirement is for a large financial company to describe how it could be resolved\nunder the U.S. Bankruptcy Code without serious adverse effects on U.S. financial stability. The\nresolution plans required by section 165(d) and the Final Rule contain sensitive information.\nAccordingly, safeguarding the plans from unauthorized access or disclosure is critical to achieving the\nFDIC\xe2\x80\x99s mission of maintaining stability and public confidence in the nation\xe2\x80\x99s financial system.\n\nThe audit objective was to determine whether the FDIC\xe2\x80\x99s controls for safeguarding sensitive information\nin resolution plans submitted under section 165(d) of the Dodd-Frank Act are consistent with applicable\ninformation security requirements, policies, and guidelines. We conducted the audit in two phases.\nDuring the first phase, we assessed the FDIC\xe2\x80\x99s controls over sensitive resolution plan information and\nbriefed FDIC management in February 2013 on our preliminary observations. During the second phase,\nwe determined the status of actions that had been taken to address our preliminary observations as of\nFebruary 2014.\n\nBackground\nThe Final Rule established a staggered schedule for submitting resolution plans based on the amount of\ntotal nonbank assets that financial companies own. The first group of filers consisted of 11 companies\nwith $250 billion or more in non-bank assets. Nine of these companies submitted initial resolution plans\nby July 1, 2012, and the remaining two companies submitted initial plans by October 1, 2012. Our audit\nfocused on the controls that the FDIC had in place to safeguard resolution plans submitted by this first\ngroup of financial company filers.\n\nThe FDIC and FRB jointly review the resolution plans to determine whether they would facilitate an\norderly resolution of the company under the U.S. Bankruptcy Code. Within the FDIC, the Office of\nComplex Financial Institutions (OCFI) has primary responsibility for reviewing the resolution plans\nsubmitted by the first group of financial company filers. The results of the FDIC\xe2\x80\x99s reviews, including\nfindings and analyses, are contained in electronic and hard-copy documents referred to as Review\nMaterials. The FDIC has determined that Review Materials constitute sensitive information.\n\nInformation security requirements, policies, and guidelines applicable to safeguarding sensitive\ninformation in resolution plans include relevant provisions of the Dodd-Frank Act and the Federal\nInformation Security Management Act of 2002, National Institute of Standards and Technology security\nstandards and guidelines, the Government Accountability Office\xe2\x80\x99s Standards for Internal Control in the\nFederal Government, Office of Management and Budget guidance, and FDIC policies and procedures.\n\nAudit Results\nWe initially found that the FDIC\xe2\x80\x99s controls for safeguarding sensitive information in resolution plans\nsubmitted under section 165(d) of the Dodd-Frank Act were not fully consistent with applicable\ninformation security requirements, policies, and guidelines. Among other things, we found that the\n\n                                                     i\n\x0c                                     Executive Summary\n                                     The FDIC\xe2\x80\x99s Controls for Safeguarding Sensitive\n                                     Information in Resolution Plans Submitted\n                                     Under the Dodd-Frank Act\n                                                                                      Report No. AUD-14-008\n                                                                                                   July 2014\nsecurity level of sensitive resolution plan information had not been formally categorized in accordance\nwith federal standards, key OCFI security policies and procedures needed to be updated and finalized,\naccess controls needed to be strengthened, and the role and level of resources allocated to OCFI\xe2\x80\x99s internal\nreview and information security functions needed to be assessed.\n\nWe met with the Director, OCFI, in February 2013 and shared our preliminary observations from the first\nphase of the audit. We also met with officials in the Division of Administration and Division of\nInformation Technology, which began reporting to the newly appointed Chief Information Officer\n(CIO) in July 2013, because these officials had responsibility for addressing some of our preliminary\nobservations. Throughout 2013, and prior to the close of the audit in February 2014, the FDIC was taking\nactions to address our preliminary observations and strengthen security controls over sensitive resolution\nplan information. Of particular note, the FDIC:\n\n    \xe2\x80\xa2   formally categorized sensitive resolution plan information, including Review Materials,\n        consistent with federal standards;\n    \xe2\x80\xa2   assigned an Information Security Manager from another FDIC division to help establish and\n        implement security controls over sensitive information maintained by OCFI;\n    \xe2\x80\xa2   updated and formally approved key OCFI security policies and procedures;\n    \xe2\x80\xa2   strengthened controls over the management of hard-copy resolution plans and Review Materials;\n    \xe2\x80\xa2   began requiring security guards to use individual access codes when entering secured workspaces\n        where resolution plans and Review Materials are stored to promote accountability; and\n    \xe2\x80\xa2   developed a formal internal review manual and plan that address information security.\n\nThe actions taken by the FDIC since the start of the audit significantly improved the state of security over\nsensitive resolution plan information. Our report describes additional steps that the FDIC can take to\nfurther mitigate risk in this area. In general, these steps involve enhancing controls related to access\nmanagement, encryption and authentication, internal control reviews, and personnel suitability.\n\nRecommendations and Corporation Comments\nOur report contains four recommendations addressed to the Director, OCFI, and three recommendations\nto the Acting CIO that are intended to enhance security controls over sensitive resolution plan\ninformation. In many cases, the FDIC was already working to enhance security controls in these areas\nduring the audit. We identified certain other matters that we did not consider significant in the context of\nthe audit objective, and we communicated those separately to appropriate FDIC management officials.\n\nThe Director, OCFI, and the Acting CIO provided separate written responses, dated June 20, 2014, to a\ndraft of this report. In their responses, the officials concurred with all seven of the report\xe2\x80\x99s\nrecommendations and described ongoing and planned actions that address the recommendations.\n\nBecause this report contains sensitive information, we do not intend to make the report available to the\npublic in its entirety. We will, however, post this Executive Summary on our public Web site.\n\n\n\n\n                                                     ii\n\x0c'